Operational risk refers to the risk of loss due to problems with internal procedures, employees, IT systems and external events, including legal risks, but excluding strategic risks and reputational risks. Operational risk is not only listed as the three major risks of financial institutions along with credit risk and market risk, but also one of the main factors that cause major risk losses such as credit risk loss and market risk loss, and operational risk prevention and control plays a pivotal role in the field of risk management of financial institutions.
The State Administration of Financial Supervision and Administration issued it on December 29, 2023Measures for the Management of Operational Risk of Banking and Insurance Institutions(hereinafter referred to as the "New Regulations"), which systematically clarifies the governance structure, management process, supervision and management of operational risk management, and takes the bancassurance field as the criterion and program for operational risk management. The new regulations were officially issued and implemented at the current point in time, which not only meets the actual needs of the current operational risk prevention and control situation of banking and insurance institutions, but also fits the strategic tone of "comprehensively strengthening financial supervision, improving the financial system, optimizing financial services, and preventing and resolving risks" proposed by this year's first financial work conference.
For banking institutions, as early as 2007, the former China Banking Regulatory Commission (CBRC) issued the Guidelines for Operational Risk Management of Commercial Banks (hereinafter referred to as the "Old Regulations"), which played a positive role in standardizing the operational risk management of commercial banks, but many years have passed, and it is difficult to meet the needs of the complex operational risk prevention and control situation in recent years. For insurance institutions, the former China Banking and Insurance Regulatory Commission (CBIRC) issued the Solvency Supervision Rules for Insurance Companies in 2021 to clarify the management requirements for the operational risk of insurance companies and establish a basic framework for the operational risk management of insurance companies, but there is still an urgent need to clarify a more specific set of operational risk management system components. In recent years, domestic banking and insurance institutions have accumulated a series of good practices in operational risk management, but also exposed problems such as ineffective management tools and insufficient investment in management resources. Under these circumstances, it is not only necessary for banking and insurance institutions to upgrade their "active management" and continuously innovate and improve their management methods, but also for regulators to strengthen "supervision and supervision" and continuously guide and supervise banking and insurance institutions to implement sound operational risk management.
The new rules have many enhancements and changes compared to the old rules
More importantly, in response to the deficiencies exposed in practice, the new regulations put forward more comprehensive and specific guidelines, including improving the definition of operational risks, clarifying risk governance and management responsibilities, stipulating basic requirements for risk management, refining risk management processes and methods, and improving supervision and management responsibilities. Among them, the most important and far-reaching changes are:
One isClarify the relationship between operational risk and compliance risk。The new regulations stipulate that legal risks include "business or management activities that violate laws, regulations or regulatory provisions, and may bear criminal or administrative liability in accordance with the law", clarifying that operational risks basically include compliance risks, eliminating long-standing differences and controversies in the industry about the relationship between the two, and strengthening the common foundation for the linkage management of operational risks and compliance risks.
The second isSpecify the necessary content to improve the governance of the three lines of defense。The new regulations summarize the industry's good governance structure of the three lines of defense for operational risks, and grasp the key elements of improving the governance of the three lines of defense, including resource investment, information sharing, audit evaluation, etc., and point out the direction for banking and insurance institutions to improve the governance of the three lines of defense, so as to solve the problems of insufficient strength, insufficient synergy, unclear responsibilities and lack of evaluation.
The third isDetermine operational risk appetite and governance requirements for transmission。In view of the current lack of control over the operational risk exposure level of the management of banking and insurance institutions, the new regulations deeply explore the excellent role of operational risk preference indicators, determine the requirements for the setting and transmission of operational risk preference indicators, create opportunities for timely, comprehensive and accurate grasp of operational risk status, and also open a new starting point for quantitative management of operational risk appetite.
Four areGuidance on a number of enhanced operational risk management measures and tools to improve internal control requirements。To this end, the new regulations draw on and absorb international regulatory standards, refer to the practice and exploration of leading peers, guide a more comprehensive and enhanced tool system, and put forward control monitoring and assurance frameworks, scenario analysis, benchmark comparative analysis, incident management and other methods and rules. Internal control requirements such as inspection management, post management, and employee behavior management have fully enriched the management methods and formed a more sound set of management tools and control systems.
Fifth, yesSuggest the governance ideas for specific types of operational risks。At present, most of the functions of the second line of defense of banking and insurance institutions are concentrated in a single department team, and the new regulations require the establishment of special management systems and mechanisms in terms of special types of operational risks such as major change risks, data security risks, business continuity risks, and outsourcing risks, suggesting the governance idea of multiple professional department teams forming a second line of defense network.
The new regulations will have a profound positive impact on banking and insurance institutions
At present, banking and insurance institutions are generally in need of innovative and refined operational risk management methods and tools to improve the quality and efficiency of operational risk management. The promulgation of the new regulations not only sets a new regulatory baseline for the operational risk management of banking and insurance institutions, but more importantly, it will greatly promote the strengthening of risk control by banking and insurance institutions in the three aspects of risk governance, methods and tools, and resource protection, which is bound to have a profound positive impact on banking and insurance institutions.
One isImprove the effectiveness of risk management。Since Basel II incorporated operational risk into the risk measurement and management system, operational risk governance has always been an important issue in the corporate governance of banks. In particular, the new regulations put forward three lines of defense governance and management responsibilities, concretize the management responsibilities of the board of directors, the board of supervisors and senior management, clarify the risk appetite and transmission role, emphasize the role of risk reporting, appraisal rewards and punishments, and special audits, and clarify that operational risks include compliance risks.
The second isImproving the role of methods and tools。Drawing on the latest rules of international supervision, the new regulations have built a more complete system of management tools, including a number of enhanced measures and tools such as control monitoring and assurance framework, risk control of major changes, risk event reporting, stress testing, data security management, etc., and improved the key points of internal control, which is bound to promote banking and insurance institutions to optimize or reconstruct their operational risk management systems, effectively embed operational risk management into various business risk control mechanisms, and improve the level of risk management.
The third isPromote the guarantee of risk control resources。After extensive investigation and research, the new regulations have clarified the bottom-line resource requirements for the allocation of dedicated personnel and posts for the first and second lines of defense, stipulated that the management should allocate sufficient resources such as financial, human resources and information technology systems for operational risk management, and required the establishment and improvement of risk data and information sharing mechanisms among and within the three lines of defense. Thanks to these regulations, with the support of follow-up supervision and supervision, it is bound to increase the attention of banking and insurance institutions to operational risks and promote the protection of risk control resources.
Challenges for banking and insurance institutions to address in implementing the new regulations
Compared with the old regulations, a considerable number of the enhancements of the new regulations have not yet formed a unified understanding and good practice in the industry, and banking and insurance institutions are expected to face many challenges when implementing the requirements of the new regulations, which urgently requires banking and insurance institutions to plan ahead and integrate knowledge and action.
One isClarify gaps and plan well。Banking and insurance institutions should first recognize the problems existing in the current management status, clarify the gaps with the requirements of the new regulations and good practices, and formulate a construction vision and plan that matches the development level and strategy based on the nature, scale and complexity of their own business, so as to ensure that they can at least meet the requirements of the regulatory bottom line and build a substantial and effective risk prevention and control system.
The second isChange the concept and deepen the governance。Banking and insurance institutions should fully recognize that operational risk is the main cause of major risk losses, regard operational risk as one of the most important risks of the institution, and form a risk culture of "risk control creates value" throughout the bank. Systems, regulations, etc., integrate operational risk appetite into various institutions and businesses.
The third isInnovate methods and solve problems。Banking and insurance institutions should fully grasp the spirit and guidance of the new regulations, innovate methods, and continuously build smooth operational risk management links, overcome problems, and realize three-dimensional and digital monitoring of "institutions, businesses, processes, links, controls, positions, personnel, and risks".
Four areSafeguard resources and implement measures。Banking and insurance institutions should do a good job in ensuring resources, first of all, to ensure the professional resources needed to deepen governance, innovate methods, and solve problems, so as to ensure that they can continue to produce good measuresSecondly, ensure the special resources required for the implementation of excellent measures in the business of each institution, ensure the effective operation of excellent measures, adapt to new situations and new changes in a timely manner, and avoid the decoupling of personnel implementation from rules and regulations, fixed actions and the essence of risk control.
The new regulations fully refer to and absorb the practice and exploration of domestic banking and insurance institutions, and also draw on the latest international regulatory rules, which are quite empirical, practical and forward-looking. With the active management of banking and insurance institutions and the gradual implementation of regulatory compliance supervision, the new regulations will effectively promote the operational risk management of China's banking and insurance institutions, and continue to catalyze "high tactics to deal with and resolve risk challenges".
Wen Ernst & Young partner Zhang Chao.
Edited by Li Mengxi.
Intern Li Haochen.